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Introduction. To increase the decision-making efficiency at the enterprise, it is advisable to use a special software pack- 
age of intellectual support. Such a product is necessary when designing an information security system and increasing 
its invulnerability during modernization or configuration changes. Research objectives are as follows: to develop an 
algorithm and a mathematical model of the software package for intellectual decision support. 

Materials and Methods. The decision support method under designing an information security system is based on the 
use of a neural network (multilayer perceptron). For an objective assessment of the initial security of an information 
system (IS), a mathematical model for the analysis of security events is developed. 

Results. The statistics of malicious attacks on the IS of enterprises is analyzed. The need for timely and accurate mod- 
ernization of the information protection system is determined. Important characteristics of the designing an information 
security system are the speed at which the result is obtained and the reduction in the residual risk of IS. In this regard, 
the use of artificial intelligence systems in the process of determining the best set of protection subsystems is important. 
The threats to cyber security (CS) are classified. The main classes of security events are defined. A mathematical model 
of the neural network is developed; the input parameters of its operation are indicated. The current enterprise IS gener- 
ates numerous events which necessitates the automatic collection and analysis of data from subsystems for registering 
IS objects. The process of analyzing security events is considered in detail since the adequacy of the generated design 
decisions depends on the correctness of the data obtained in this way. The algorithm of the software package is formed. 
Discussion and Conclusions. The results can be used in the design of the information security system at the enterprise. 
In addition, CS administrators can use the developed software package to adjust the configuration settings of 
information security tools. The proposed solution will minimize the destructive influence of the developer of the 


security system which may and happen to be subjective. 
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Introduction. With the development of industry in Russia, the number of enterprises classified as objects of 
critical information infrastructure (OCII) is growing. Statistics on the distribution of attacks from the Positive Technol- 
ogies' vendor shows an increase in the number of successfully implemented malicious actions in this area. In 2019, 125 
attacks on industrial information systems (IS) were recorded. This is more than three times (or by 212%) higher than the 
same indicator in 2018 (40 attacks). The diagram of the distribution of the number of attacks by quarters of the year (Q) 


is shown in Fig. 1. 
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Fig. 1. Number of attacks on IS of enterprises in 2018 and 2019 


Industrial IS are attacked mainly using malicious software (90% of attacks). This area is supervised by 
the Federal Security Service and the Federal Service for Technical and Expert Control. The need to ensure 
cyber security (CS) of industrial information systems is confirmed by statistics of the head research centers [1]. 
According to the regulatory legal acts of the Russian Federation’, the owners of the OCII use a set of organiza- 
tional and technical measures to ensure the safe operation of the information infrastructure. At the same time, 
the legislation provides for a periodic audit of the information protection system (IPS) performance, an assess- 
ment of its effectiveness. This results in prompt updating of the configuration settings of available tools or the 
retrofitting of the system with information security tools. A special role is played by the efficiency and accura- 
cy of the decisions made, and the value of residual risk should not exceed the established indicators [2]. In this 
regard, it is proposed to automate the decision support process under designing the IPS at the enterprise. 

Materials and Methods. To support decision-making in the design of IPS, a method based on a neural 
network (multilayer perceptron) was used [3]. Input data for the operation of a neural network were information 
security threats and security events. In addition, for an objective assessment of the initial information system 


security, a mathematical model of the analysis of security events was developed. Within this model, the calcu- 


'Aktual'nye kiberugrozy: IV kvartal 2019 goda [Current cyber threats: Q4, 2019]. Positive Technologies. URL: https://www.ptsecurity.com/ru- 
ru/research/analytics/cybersecurity-threatscape-2019-q4 (accessed 24.02.2020). 

*O bezopasnosti kriticheskoi informatsionnoi infrastruktury RF: feder. zakon ot 26.07.2017, Ne 187-FZ [ On security of critical information infrastruc- 
ture of the Russian Federation: Federal Law of July 26, 2017, no. 187-FZ]. RF State Duma, Federation Council. FSTEC of Russia. URL: 
https://fstec.ru/tekhnicheskaya-zashchita-informatsii/obespechenie-bezopasnosti-kriticheskoj-informatsionnoj-infrastruktury/285-zakony/1610- 
federalnyj-zakon-ot-26-1yulya-2017-g-n-187-fz (accessed 18.05.20). 
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lated measures of IS similarity are compared with one of the IS security levels. Weighted Manhattan Distance 
is used as a similarity metric. 

Study Results. In the framework of this study, an approach to the design of a protection system based 
on the factors of the cyber security subsystem importance included in the IPS [4] is proposed. With these data, 
it is suggested to make a list of security tools for the most critical subsystems. This approach provides strength- 
ening the IPS through neutralizing critical threats. Moreover, criticality should be specified through an auto- 
mated analysis of security events [5, 6]. The vector of cyber security subsystem importance is generated ac- 
cording to the expression 

V = S(Class_Thr), (1) 
where V = (V,,...,V,) 1s the vector of IPS subsystem importance; Class_Thr = (Class_Thr,,...,Class_Thr¢) is 
the vector of criticality of threat classes; S is the functional relationship defined by a neural network. 

For convenience, we divide set of CS threats Thr into classes Class_Thr, which are defined as in [6]: 

Class_Thr = { Thr_Br,Thr_L,Th_Dist, Thr_Loss, Thr_B,Thr_A}, (2) 
where Thr_Br is the class of CS threats of the “cracking” type; Thr_L is the class of CS threats of the “leak” 
type; Th_Dist the class of CS threats of the “distortion” type; Thr_Loss is the class of CS threats of the “loss” 
type; Thr_B is the class of CS threats of the “blocking” type; Thr_A is the class of CS threats of the “abuse” 
type. 

To generate the vector of IS CS threat criticality, it is proposed to form two matrices of compliance: 

— set of threats to set of classes of threats — MThr, 

— set of security events to threat classes — MEvent. 

MThr matrix: 

MThr = Thr x Class_Thr = (mth,;). (3) 


Here, mth,; is determined from the formula: 


i 
mth, = fr if the threat belongs to the threat class, (4) 
O if not. 
Here, 7 1s the number of threat classes to which the threat belongs. 
In this case, Vi, )}; mth,; = 1. 


MEvent matrix: 


MEvent = Events xX CThr = (mevj;;). (5) 

Here, mev;; is determined from the formula: 
_ ¢1,if an event occurs when a class threat is implemented, 6 
ie aoe 0 if not. (©) 


To form the vector of the cyber security subsystem importance, it is proposed to use a neural network in a 
software package — a multilayer perceptron operating according to the formula given in [7]: 


INox = Vx 
Outi; = fQiwiylnij — 94), (7) 
Injj = Outj_1) 


where [Nox is the k-th neuron of the input layer; v, is the k-th element of the input vector; Out;; is the output value of 
the j-th neuron of the i-th layer; f is the neuron activation function, which is determined by the functional dependence 
V (1); wij, is the weight of the /-th input of the j-th neuron of the i-th layer; Inj; is the value of the /-th input of the j-th 
neuron of the i-th layer; 0;; is the activation level of the j-th neuron of the i-th layer; Out,_1; is the output value of the /- 


th neuron of the (i — 1)-th layer. 
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At the stage of analyzing security events, the initial data are the security event logs created by the system and 
the application software of the enterprise IS. Set of the security Events include the following classes [8]: 
Events = {EnterEv, ManagementSubEv , AccessObjEv , PolicyChangeEv , 
Events = {EnterEv, ManagementSubEv , AccessObjEv , PolicyChangeEv , 
UsePrivilegesEv, ISProcessesEv, LevellSEv}. (8) 
Here, EnterEv are events of the “subjects’ log-on” class; ManagementSubEv are events of the “subject manage- 
ment” class; AccessObjEv are events of the “accessing objects” class; PolicyChangeEv are events of the “system 
policy change” class; UsePrivilegesEv are events of the “subject’s using exclusive privileges” class; [SProcessesEv 
are events of the “system processes running” class; LevellSEv are events of the “system level” class. 
Dangerous events are selected from the set. Matrices of compliance are used to compare the set of dangerous 


events to threat classes. The matrix developed in the framework of this study is presented in Table 1. 


Table 1 
Matrix of compliance of CS threats of enterprise IS 


Threat types 


Information technology, computer science, and management 


Security event class 
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posed to the urgent threat classes. Compliance is determined using a neural network with account for the functional 
dependence V in accordance with the formula (1). 

Quite an important factor is the number of analyzed sets of events and their sources. It should be noted 
that the number of security events is directly proportional to the number of sources — information resources of 
the enterprise IS [8]. Given a large number of events generated by a working IS, it is valid to automatically col- 
lect and analyze data from the registration subsystems of IS objects that describe events. In this regard, it is 
worth considering in detail the analysis of security events since the adequacy of the generated design decisions 
depends on the correctness of the conclusions received at this stage. 

According to [9, 10], at a given instant 7, the current state of the enterprise IS S; € State, State = 
{Snorm, Sdang, Sanorm} can be characterized as: 

— normal (Snorm) — normal system operation in accordance with its tasks and as given in the docu- 
ments regulating the work; 

— dangerous (Sdang) — incorrect IS operation, when malfunctions associated with hacker attacks, 
crashes and failures of software and (or) hardware are recorded; 

— abnormal (Sanorm) — temporary change in the normal IS operating mode and a surge in abnormal 


activity of users, programs and network traffic. 
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Dangerous and abnormal events require a more detailed analysis. A set of such events is the input to the stage 
of matching threat classes. Such events indicate the implementation of security threats. 

Therefore, the results of monitoring and analysis of security events will be the input to the neural network (7). 

Any EventIS; security event can be described by an attribute tuple [9]: 

EventIS; = (ID, Data, Level, Source, EventT ype, EventState, SecureParams), (9) 
rae JD is the event ID; Data is the event generation time; Level is hazard level of the event; Source is the 
source of the event; EventType is the event type; EventState is event status; SecureParams is event security 
parameter vector. 

SecureParams = (h,u, risk), (10) 
where / is an indicator for the generation of the event of a certain code relative to the total number of security 
events over the period A7; u is the severity of the consequences of the event (potential damage); risk is the IS 
information security risk. 

Over the period AT, a set of IS events (Event/S) which should be evaluated to determine the level of IS 
security is generated in the information system. 
The ratio of the number of events of one type or another to the total number is determined by the indi- 


cator h: 


NEventID 
h=—_ (11) 
NEvent 


where NEvenID is the number of events of a certain code, NEvent is the total number of events over the period 
AT. 

The application software defines event codes differently. So, in the framework of this work, we have 
considered the encoding of the Windows OS Microsoft’. 

The IS information security risk 1s a function of the frequency of the event and the potential damage: 

risk =hxX wu. (12) 

The sum of private indicators determines the overall risk RiskSum: 

RiskSum = Vive” risk;. (13) 

The set that provides the classification of events and the assessment of private indicators of IS security 
is described by subsets of elements: 

PPS = {{EvType}, {EvState}, {ISState}}. (14) 
Here, EvType is a set of types of the events detected; EvState is a set of possible event states: 

EvState = {Ev", Ev’, Ev}, (15) 
where Ev™ — events of normal IS operation; Ev“ — IS CS threat events; Ev“— abnormal events characterizing 
deviations of the IS from the normal mode of operation (additional analysis is needed). 

To determine whether event Event/S; belongs to one of the three states EvState, the classification prob- 
lem is solved — the set SP = DamgeEv U NormEv 1s used, which is divided into two basic subsets. They are 
formed by an expert group on the basis of data on quick events of the normal IS operating mode and the previ- 
ously detected CS attacks and incidents that describe the signature of IS quick and threat events: 

— DamgeEv is a set of events that are known features of an attack or determine the scenario of an in- 
cident; 


— NormEv is a set of events typical for the normal mode of IS operation. 


*Opisanie sobytii sistemy bezopasnosti v Windows 7 i Windows Server 2008 R2 [Description of Security Events in Windows 7 and Windows Server 
2008 R2]. Microsoft. URL: https://support.microsoft.com/ru-ru/help/9775 19/description-of-security-events-in-windows-7-and-in-windows-server- 
2008 (accessed 05.08.2019). 
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F(Event!S;(EvState) — {SP},;) are classified as follows: 


Ev", EventlS; € NormEv, 
Event!S,(EvState) = Ev‘, EventlS; € DamageEv, (16) 
Ev*, EventlIS,; € NormEv U DamageEv. 


Here, EventlS;(EvState) are IS events with a status attribute, each of which corresponds to a set of connections 
SP; with quick events from a set of templates of the normal mode and the mode with CS breach. 

If the event is not present in the profiles of quick events or security breach events, it 1s determined to 
be abnormal. The reasons for its occurrence should be considered separately by the administrator of the IS sys- 
tem. 

ISState ={ISnorm, ISdang,ISanorm} is a set of IS statuses indicating a normal mode of IS operation. 
The IS status is determined from the formula: 


ISnorm, VEventlS; € EventIS|EvState = Ev", 
ISState = { ISdang, JEventIS, € EventIS|EvState; = Ev®, (17) 
ISanorm, ISnorm 0 ISdang, 


where /Snorm is the mode of normal IS operation; JSanorm is the mode of IS operation with features of abnor- 


mal activity; [Sdang is the mode with fixed IS security breaches (Fig. 2). 


Described by set 
Described by set of security 
of normal events ISdang events 
TSanorm 
Described by set 
of abnormal 
events 


Fig. 2. Relationships of subsets of IS states 


Based on the data obtained, a vector is formed that determines the IS status, the total risk, as well as 


the proportion of abnormal and security breaches: 


IS = USState, RISKsum, NanalEv, NdandEv), (18) 
where NanalEv is the proportion of detected abnormal events, NdandEv is the proportion of events of CS 
breach of the enterprise IS. 

To make a decision on whether to strengthen information security subsystems, the IS security level SZ 
is calculated: 

SL = {safe, stable, abnormal, crisis, dangerous}. 

To determine the level of IS security, the designer of the CS system generates a vector that defines the 
reference indicator of the IS security [S_Perf. SL is formed according to the similarity of vectors JS and 
IS_Perf. 

Five levels are accepted for evaluating the IS security within the framework of this mathematical mod- 
el; therefore, when determining whether the IS belongs to one of the levels, the k-nearest neighbor method is 


used [10]. To this end, intermediate vectors corresponding to the remaining four security levels are compiled. 
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This operation is based on the values of the /S_Perf vector corresponding to the safe level of the IS status when 
multiplied by a scalar correction factor (the value is determined by experiment): 
kx RIS = (k x [SState,k x RISKsum,k x NanalEvent,k xx NdandEvent). (19) 
Weighted Manhattan distance 1s used as a similarity metric [10]: 
p(IS, RIS) = w Y4_,|1S; — RIS)|. (20) 
Based on the presented mathematical model, a generalized algorithm for the operation of a software 


prototype has been developed (Fig. 3). 
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Fig. 3. Algorithm for software prototype of decision smartness complex when designing an information 
security system at the enterprise 
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Step 1 (blocks 1, 2). Launching a software prototype. The algorithm start. Input of data on the require- 
ments vectors /S_Perf to the IS status of each security level. Enter the period over which monitoring will be 
conducted. Loading from the DB templates with sets of normal and dangerous events. 

Step 2 (blocks 3—5). Monitoring OS event logs, receiving records on each event. Event listing. 

Step 3 (block 6). Data analysis of the collected events, formation of the event tuple — the formula (8). 
Classification of events according to the formulas (14—15) into normal, abnormal, and dangerous ones. Calcula- 
tion of the frequency of occurrence of events, potential damage and risk using the formulas (11-13). 

Step 4 (blocks 7-11). Classification of IS states according to the formula (17) based on the event dis- 
tribution data into a set of abnormal, normal, and dangerous ones (step 3). 

Step 5 (blocks 12—14). Based on the calculated data and event tuple in the IS, the formation of the cur- 
rent status vector, calculation of similarity between JS and [S_Perf vectors: the formulas (19), (20). Decision- 
making on whether IS belongs to one of the five security levels. 

Step 6 (block 15). The algorithm completion. 

Discussion and Conclusion. In the framework of this study, an approach to modeling an information 
security system is proposed. Different qualitative and quantitative complex of security tools is taken into ac- 
count depending on the actual threats to information security breaches. The presented method provides increas- 
ing the efficiency of the introduced cyber security system and reduces the likelihood of a designer mistake. The 
software package developed as part of this study has advantages that cannot be obtained under “manual” de- 
sign: 

- accounting of all data on the protected system, 

- obtaining accurate results at the earliest. 
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